From 6631ce4d6e36aca721b753d15f27c1d67e365252ccc43e5a2f79fc2cfa8bca59 Mon Sep 17 00:00:00 2001 From: Till Wegmueller Date: Sun, 2 Nov 2025 20:48:05 +0100 Subject: [PATCH] Add insecure TLS support, CA bundle handling, and package update for SunOS environments This commit introduces the following updates: - Adds an environment variable (`SOLSTICE_ALLOW_INSECURE`) to enable insecure TLS as a fallback for curl. - Improves CA certificate handling and automatic installation on SunOS using IPS or pkgin. - Extends fallback logic for repository fetching to cover scenarios with missing CA bundles. - Updates Solstice job script dependencies to include `cmake`. --- .solstice/job.sh | 2 +- crates/workflow-runner/src/main.rs | 27 ++++++++++++++++++++++++--- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/.solstice/job.sh b/.solstice/job.sh index 3fa753e..a856bf1 100755 --- a/.solstice/job.sh +++ b/.solstice/job.sh @@ -29,7 +29,7 @@ install_linux() { apt) sudo -n true 2>/dev/null || true sudo apt-get update -y || apt-get update -y || true - sudo apt-get install -y --no-install-recommends curl ca-certificates git build-essential pkg-config libssl-dev protobuf-compiler || true + sudo apt-get install -y --no-install-recommends curl ca-certificates git build-essential pkg-config libssl-dev protobuf-compiler cmake || true ;; dnf) sudo dnf install -y curl ca-certificates git gcc gcc-c++ make pkgconf-pkg-config openssl-devel protobuf-compiler || true diff --git a/crates/workflow-runner/src/main.rs b/crates/workflow-runner/src/main.rs index c099ca9..2170a95 100644 --- a/crates/workflow-runner/src/main.rs +++ b/crates/workflow-runner/src/main.rs @@ -78,9 +78,13 @@ async fn fetch_repo_via_archive(repo_https: &str, sha: &str, workdir: &str) -> R let base = repo_https.trim_end_matches('.').trim_end_matches(".git"); let url = format!("{}/archive/{}.tar.gz", base, sha); + // Check if we should allow insecure TLS (last resort) + let insecure = std::env::var("SOLSTICE_ALLOW_INSECURE").ok().map(|v| v == "1" || v.eq_ignore_ascii_case("true")).unwrap_or(false); + let curl_flags = if insecure { "-fSLk" } else { "-fSL" }; + // Try curl | tar, then wget | tar let cmd_curl = format!( - "mkdir -p {workdir} && curl -fSL {url} | tar -xz -C {workdir} --strip-components=1" + "mkdir -p {workdir} && curl {curl_flags} {url} | tar -xz -C {workdir} --strip-components=1" ); if run_shell(&cmd_curl).await.is_ok() { return Ok(()); @@ -92,7 +96,7 @@ async fn fetch_repo_via_archive(repo_https: &str, sha: &str, workdir: &str) -> R return Ok(()); } - // On illumos/SunOS images, curl/wget may be missing. Try to install curl and retry. + // On illumos/SunOS images, curl/wget may be missing or CA bundle absent. Try to install tools and CA certs, then retry. let os = std::env::var("SOLSTICE_OS_OVERRIDE").ok().unwrap_or_else(|| { // Best-effort OS detection std::env::consts::OS.to_string() @@ -104,16 +108,33 @@ async fn fetch_repo_via_archive(repo_https: &str, sha: &str, workdir: &str) -> R if is_sunos { // Try IPS (pkg) first, then pkgin let _ = run_shell("sudo pkg refresh || true").await; + // curl if run_shell("sudo pkg install -v web/curl").await.is_err() { let _ = run_shell("sudo pkgin -y install curl").await; } - // Retry with curl + // CA certificates (package name may differ per distro) + let _ = run_shell("sudo pkg install -v web/ca-certificates || sudo pkg install -v library/security/ca-certificates || true").await; + let _ = run_shell("sudo pkgin -y install mozilla-rootcerts || true").await; + let _ = run_shell("sudo mozilla-rootcerts install || true").await; + + // Retry with curl and wget if run_shell(&cmd_curl).await.is_ok() { return Ok(()); } if run_shell(&cmd_wget).await.is_ok() { return Ok(()); } + + // As a last resort with explicit opt-in, try curl --insecure + if insecure { + let cmd_curl_insecure = format!( + "mkdir -p {workdir} && curl -fSLk {url} | tar -xz -C {workdir} --strip-components=1" + ); + if run_shell(&cmd_curl_insecure).await.is_ok() { + warn!("used curl --insecure to fetch repo archive on SunOS"); + return Ok(()); + } + } } Err(miette::miette!("failed to fetch repo archive via HTTP for {url}"))